Hi, String#escapeHTML escapes HTML. Double quotes, single quotes, and newlines are all valid in HTML, so IMHO it's out of scope for escapeHTML to escape them. FWIW, I'd say the requirement you're describing is specific enough to you that you should probably just add it at your end. For instance, if your JSON strings are delimited with double quotes, there's no need to escape single quotes (and vice versa).
> The example in the documentation of escapeHTML also contains this > error, but no warning about this behaviour. The example in the docs is: '<div class="article">This is an article</div>'.escapeHTML(); // -> "<div class="article">This is an article</div>" I can see why you're thinking of that as an error, if you think of the entire thing after the "// ->" as being a JavaScript string literal, but it isn't -- it's just documentation. The quotes are to indicate the value is a string, not that the whole thing is a string literal. Other places will say things like "// -> Alerts 'Hi there'" which is also not valid JavaScript. I wouldn't say it's clear, though, and FWIW I agree we should change it -- probably to an example that doesn't use double quotes. If you create a lighthouse ticket, feel free to assign it to me. I'd probably add something like this to the docs: "Note that escapeHTML escapes HTML tags. If you're going to include the result in a string literal, you may also need to escape double quotes, single quotes, and newlines. String#gsub may be useful for doing that." FWIW, -- T.J. Crowder tj / crowder software / com Independent Software Engineer, consulting services available On Jun 24, 9:39 am, Szymon Wilkołazki <wilkola...@gmail.com> wrote: > Hi, > > I just tried to put a json object inside an attribute an I bumped into > an issue with String#escapeHTML(). > > The method does escape all the ampersands and the greater/less than > signs, but it does nothing to the quots. > > This make the method completely unusable for writing attributes (for > innerHTML use). > > Lets get through an example: > > var eventMemo = { > aLabel: 'some String with "quotes", \'apostrophes\'...', > otherLabel: 'another String with &ersands and <tags>'}; > > //I want this object inside an html attribute, so lets > //make it JSON and escape it: > var attr = Object.toJSON(eventMemo).escapeHTML(); > > var link = '<a href="javascript:;" class="fireCustomEvent"'+ > ' data-eventMemo="' + attr + '" > '+ > ' this link is supposed to fire custom event with memo '+ > ' read from data-eventMemo attribute '+ > '</a>'; > > //lets see what this link looks like in Firebug: > console.log(link); > > The output is: > <a href="javascript:;" class="fireCustomEvent" > data-eventMemo="{"aLabel": "some String with \"quotes\", > 'apostrophs'...", "otherLabel": "another String with &ampersands > and <tags>"}" >this link is supposed to fire custom event with > memo read from data-eventMemo attribute</a> > > As you can see, the output is completely broken, as the " are not > converted to " and ' to ' > > One have to append another replaces to properly escape the string: > > var attr = > Object.toJSON(eventMemo).escapeHTML().gsub(/"/,'"').gsub(/'/,'''); > > The example in the documentation of escapeHTML also contains this > error, but no warning about this behaviour. > > IMHO: > 1. A note should be added to the docs about this issue, and an example > how to properly escape string for use inside attributes; > 2. A parameter could be added tho this method which would escape > quotes automaticly. > Or a separate function could be introduced, eg. escapeHTMLquots() > which would do the same unconditionally. > 3. Current behaviour of method can not be changed, as this would > create backward incompatibility. > > I will place an issue about the docs, and I would like to hear your > opinion about the method modifications. > > Best Regards, > SWilk --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Prototype & script.aculo.us" group. To post to this group, send email to prototype-scriptaculous@googlegroups.com To unsubscribe from this group, send email to prototype-scriptaculous+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/prototype-scriptaculous?hl=en -~----------~----~----~----~------~----~------~--~---